Office365 OAuth: Add support for specifying a tenant * Added new InitOauth parameter 'tenant'. * If the parameter 'tenant' is not set it will default to the tenant 'organizations'. * If the parameter 'tenant' is set it will use a specific AD to authenticate the users. Change-Id: Id4c9e659b238dda2ad417901ddf6462f82324da0
diff --git a/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java b/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java index 854ba5b..6f7ca01 100644 --- a/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java +++ b/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java
@@ -34,6 +34,7 @@ static final String USE_EMAIL_AS_USERNAME = "use-email-as-username"; static final String ROOT_URL = "root-url"; static final String REALM = "realm"; + static final String TENANT = "tenant"; static final String SERVICE_NAME = "service-name"; static String FIX_LEGACY_USER_ID_QUESTION = "Fix legacy user id, without oauth provider prefix?";
diff --git a/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365Api.java b/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365Api.java index 7e9bef8..4a3d0e1 100644 --- a/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365Api.java +++ b/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365Api.java
@@ -19,14 +19,30 @@ import com.github.scribejava.core.oauth2.clientauthentication.RequestBodyAuthenticationScheme; public class Office365Api extends DefaultApi20 { + public static final String DEFAULT_TENANT = "organizations"; + + private final String tenant; + + public Office365Api() { + this(DEFAULT_TENANT); + } + + public Office365Api(String tenant) { + this.tenant = tenant; + } + @Override public String getAccessTokenEndpoint() { - return "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"; + return endpointFor("token"); } @Override public String getAuthorizationBaseUrl() { - return "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize"; + return endpointFor("authorize"); + } + + private String endpointFor(String suffix) { + return String.format("https://login.microsoftonline.com/%s/oauth2/v2.0/%s", tenant, suffix); } @Override
diff --git a/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java b/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java index 4e0803b..1edec0e 100644 --- a/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java +++ b/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java
@@ -53,6 +53,7 @@ private final OAuth20Service service; private final String canonicalWebUrl; private final boolean useEmailAsUsername; + private final String tenant; @Inject Office365OAuthService( @@ -62,12 +63,13 @@ PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); this.canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; this.useEmailAsUsername = cfg.getBoolean(InitOAuth.USE_EMAIL_AS_USERNAME, false); + this.tenant = cfg.getString(InitOAuth.TENANT, Office365Api.DEFAULT_TENANT); this.service = new ServiceBuilder(cfg.getString(InitOAuth.CLIENT_ID)) .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) .callback(canonicalWebUrl + "oauth") .defaultScope(SCOPE) - .build(new Office365Api()); + .build(new Office365Api(tenant)); if (log.isDebugEnabled()) { log.debug("OAuth2: canonicalWebUrl={}", canonicalWebUrl); log.debug("OAuth2: scope={}", SCOPE);
diff --git a/src/main/resources/Documentation/config.md b/src/main/resources/Documentation/config.md index 19eb426..24addfd 100644 --- a/src/main/resources/Documentation/config.md +++ b/src/main/resources/Documentation/config.md
@@ -48,6 +48,11 @@ client-id = "<client-id>" client-secret = "<client-secret>" root-url = "<phabricator url>" + + [plugin "@PLUGIN@-office365-oauth"] + client-id = "<client-id>" + client-secret = "<client-secret>" + tenant = "<tenant (optional defaults to organizations if not set)>" ``` When one from the sections above is omitted, OAuth SSO is used. @@ -222,3 +227,22 @@ The client-id and client-secret for Phabricator can be obtained by registering a Client application. See [Using the Phabricator OAuth Server](https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/). + +### Office365 +The client-id and client-secret for Office365/Azure can be obtained by registering a new application, +see [OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols). + +####Username +By default Office365 OAuth will not set a username (used for ssh) and the user can choose one from the web ui +(needed before using ssh). To automatically set the user part from the email the option *use-email-as-username* +can be used. +``` +plugin.gerrit-oauth-provider-office365-oauth.use-email-as-username = true +``` + +####Tenant +By default, the Gerrit OAuth plugin is using the tenant `organizations`. A specific tenant can be set +by using the option `tenant`. +``` +plugin.gerrit-oauth-provider-office365-oauth.tenant = <tenant to use> +```